August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

GENERAL RULE Implement reasonable procedures to ensure that only the minimum necessary of protected health information (PHI) is USED, DISCLOSED OR REQUESTED when conducting payment activities and health care operations.

APPLICABILITY Covered Entities Healthcare providers Health insurers Clearing houses Uses, Disclosures and Requests Payment and Healthcare Operations Activities where authorizations are required

EXCEPTIONS Treatment of the Individual Permitted or Required Disclosures to the Individual Pursuant to the Individual’s authorization Disclosures to the Secretary of HHS for compliance and enforcement purposes

EXCEPTIONS Disclosures Required by Law: Public Health Activities Abuse, Neglect or Domestic Violence to the extent authorized by statute or regulation Health Oversight Activities Excludes Private Accreditation Organizations Judicial & Administrative Proceedings Law Enforcement Purposes

USE STANDARDS Identify persons (or classes of persons) in the workforce who need to access PHI to carry out their duties. Identify the categories of PHI to which access is needed and any conditions appropriate to such access. Make reasonable efforts to limit access by those identified above to PHI that they do not need to carry out their duties. No case-by-case review ever required for USE.

USE STANDARD CHECKLIST  Identify and classify all employees & contractors who need access to PHI  Identify the PHI each can access  Provide justification for those allowed access to entire PHI  Identify the conditions when certain PHI is accessible.  Job Descriptions identify access levels

DISCLOSURE AND REQUESTS ROUTINE Requires policies and procedures, which may be standardized protocols. NON-ROUTINE Establish criteria to limit PHI to that reasonably necessary to accomplish the purpose. Individual review using the criteria.

DISCLOSURE STANDARDS Routine v. Non-Routine Disclosures. Reasonable Reliance For Requests Made by: Public Officials Another Covered Entity Professional member of workforce/business associate Researcher (IRB/Privacy Board)

DISCLOSURE: REASONABLE RELIANCE Representation that PHI requested is the minimum amount necessary. Who Public Officials Professional in the Workforce or B.A. Written v. Oral Tracking System

DISCLOSURE: REASONABLE RELIANCE Researchers Requires Written IRB/Privacy Board determination Must describe PHI Must include voting procedures Review Preparatory to Research or for research on PHI of decedents. Copy of death certificate Documentation from researcher Necessity Minimum Necessary

DISCLOSURE CHECKLIST  Identify PHI not subject to an exception or reasonable reliance  Identify individuals/entities that would request PHI  Identify conditions that would apply for disclosure.  Justification for routine disclosures of entire PHI

DISCLOSURE CHECKLIST  Written criteria to limit non- routine disclosure of PHI to that reasonably needed.  Designate individual(s) to review non-routine disclosures.  Written tracking process for each non-routine disclosure reviewed.

REQUEST Applies to Requests made by covered entities to covered entities Key Items Burden is on the requesting party Recipient can use the reasonable reliance standard when disclosing PHI to the requesting covered entity. Routine v. Non-routine

REQUEST CHECKLIST  Identify individual(s) responsible for making requests.  Identify routine requests  Justification for requests requiring the entire medical record.  Designated individual(s) responsible for making determinations of minimal necessary for non-routine requests.